Ticket #5056 (closed Bug: invalid)

Opened 4 years ago

Last modified 4 years ago

Protected Tags

Reported by: simshaun Owned by:
Priority: Normal Milestone:
Component: Core : Output Data Version: 3.1
Keywords: Cc:

Description

Reading from this page, http://docs.cksource.com/ckeditor_api/symbols/CKEDITOR.config.html#.protectedSource

If I understand correctly, you must have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

in your config to be able to use PHP code within the editor.

However, if I load the editor, switch to Source mode, type some simple PHP:

<?php echo 'Whatever I want.'; ?>

and submit, CKEditor does not entitize or remove the PHP code and it goes through unscathed.

This means I have to manually check for PHP code upon submission.

Correct me if I'm wrong, but I believe that is a bug.

Change History

comment:1 Changed 4 years ago by simshaun

Forgot to add, although I believe its implied, that I do NOT have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

enabled in my config.

comment:2 Changed 4 years ago by alfonsoml

  • Status changed from new to closed
  • Priority changed from High to Normal
  • Resolution set to invalid

protectedSource is meant to be used to handle data that otherwise would be destroyed by the editing system or the browser. It is not any kind of clean up or sanitizing system, you must do it yourself at the server.

comment:3 Changed 4 years ago by simshaun

Thanks for the explanation.

Perhaps that should be clarified in the API docs.

Note: See TracTickets for help on using tickets.
© 2003 – 2012 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy